On Wed, May 4, 2016 at 10:42 AM, Prabath Siriwardana <prab...@wso2.com> wrote:
> Can you please check whether we support following under both the password > recovery and user signup flow... if not can we please accommodate them... > > 1. The verification code expires after some time > 2. Ability to resend the verification code (a new one) by the admin or by > the user > We have above two. > 3. After the password reset, send an email to the user's registered email > address - confirming the action > 4. Whenever a password reset is initiated with secret questions - send an > email to the user's registered email address. > 5. Lock the account after n number of tries to reset the password via > secret questions - or present a captcha > Can do above. > 6. Use Google reCAPTCHA > We were considering to do this also. > 7. Capture statistics on password recovery > 8. When a registered user tries to login to the system, without verifying > the code - inform him verification is pending - and give the ability to > resend the verification code. > Can do. Regards, Johann. > > Thanks & regards, > -Prabath > > On Wed, Apr 27, 2016 at 11:38 PM, Malithi Edirisinghe <malit...@wso2.com> > wrote: > >> >> Hi All, >> >> I'm working on supporting user information recovery scenarios in IS user >> portal [1]. >> >> While discussing on the user aspects of password recovery with security >> questions, with UX team we came across the below concern. >> >> 1. Should we view all of the security questions chosen by the user, from >> each question set, in the same page >> >> 2. Should we view the question chosen from each question set in a >> separate page, and make the user to go page by page answering each question >> >> If we chose option (1) we should be able to verify user answers for all >> the questions in a one step. If all are answered properly we will let the >> user to proceed, or else we will notify the user that he has not correctly >> answered to one or more, in the next page. >> If we chose option (2) in each step we will verify the user's answer to >> the question prompted. If the first one is properly answered prompt the >> second question and let him to proceed similarly or else break the flow. >> >> However, with information recovery service implementation at IS , we can >> only support option (2) at the moment. >> But, as it seems most of the sites opt for option (1). >> >> We would like to clarify on which option we should proceed with. Also, >> would like to clarify on any security concerns with regard to above options. >> >> Appreciate your thoughts. >> >> >> [1] https://wso2.org/jira/browse/IDENTITY-3300 >> >> Thanks, >> Malithi. >> -- >> >> *Malithi Edirisinghe* >> Senior Software Engineer >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev